Resources

decorative arrow

Blog

decorative arrow

What Is CUI For SBIR Companies?

Compliance

Compliance

Compliance

What Is CUI For SBIR Companies?

07/2025

5  

min read

Introduction

Small Business Innovation Research (SBIR) companies often work on cutting-edge projects funded by the U.S. Department of Defense (DoD). With these opportunities comes the responsibility to safeguard Controlled Unclassified Information (CUI), especially for Phase II companies. To understand these cybersecurity expectations, it helps to know the experts shaping this guidance.

Kelly Kiernan has historically been the point of contact within the DoD SBIR program. She's held Chief Technology Officer roles for the Air Force, Space Force, and now the U.S. Navy Small Business Innovation Research (SBIR) and Technology Transfer (STTR) programs and founded the DoD’s Blue Cyber Initiative—a support program offering office hours, weekly webinars, and technical resources to help the thousands of DoD SBIR/STTR firms with the cybersecurity requirements in their contracts.

She now is a professor of Cybersecurity at the DoD’s Defense Acquisition University (DAU), where she trains contracting officers, program managers, engineers, and others within the government on how NIST SP 800‑171, CMMC, and DFARS/FAR cybersecurity clauses apply to federal contracts.

CUI in Phase 1 vs. Phase 2

"I've never seen a Phase II SBIR that is not generating CTI".   

                                                          - Kelly Kiernan

SBIR awards evolve in scope and security. While Phase I contracts may or may not involve Controlled Unclassified Information (CUI), Phase II projects almost always generate and handle sensitive technical data. As a result, Phase II awardees must fully implement the rigorous—and often costly—cyber requirements of DFARS 252.204-7012 and NIST SP 800-171. These requirements are not only extensive but also expensive, as even small SBIR companies need a qualified cybersecurity professional to implement them correctly. As the guidance from Kelley states, “Whoever is doing your cyber needs to be a professional.” She further notes that qualified cybersecurity professionals “cost at least $100,000,” stated in her “It Might Be CUI If…” webinar. Because much of the CUI SBIR companies handle is self-generated, Kelley points out that these businesses also have a “vested self-interest” in protecting their own information for cybersecurity purposes—not just the government’s.

As she emphasizes in her DAU webinars, “I’ve never seen a Phase II SBIR that is not generating CTI,” referring to Controlled Technical Information, a common form of CUI. She also warns that even if CMMC requirements are not yet formally in place for your current phase, “they may implement them ahead of the scheduled phase—and they probably will.”

Defining CUI

In the DAU webinars “Protecting DoD Scientific and Technical Information (STI)” and “It Might Be CUI If…”, Kelley Kiernan, and Jodi St. Pierre, the program manager at Air Force Material Command (AFMC) who is responsible for implementing and administering the Scientific and Technical Information (STINFO) Program, provide guidance on the types of Controlled Unclassified Information SBIR companies may encounter. They emphasize that CUI includes any government-created or contractor-held information requiring protection under federal law, regulation, or policy:

Export-controlled research: Technical information about commodities, technologies, or software whose export could affect national security. As Kelley guides, this type of CUI is “regulated under the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), which place strict limits on the release of sensitive technical data to foreign persons or entities, even within the U.S.”

Controlled Technical Information (CTI): Technical information with military or space applications subject to DoD controls. This is the most common category SBIR companies generate. Kelley shares insight into the types of CTI in her Blue Cyber Series video titled “Protection of Common Types of Department of Defense Controlled Unclassified Information”:

  • Engineering data
  • Technical drawings
  • Research analyses
  • Technical studies
  • Source code
  • Executable code

Practical Implications for SBIR Companies

If you conduct R&D as part of your contract, any resulting data is considered STINFO by the DoD and must be properly marked. This might go by STI or STP if you are in the Navy or Army SBIR program. Jodi St. Pierre is a highlighted speaker in the DAU’s “Protecting DoD Scientific and Technical Information (STI)” webinar and guides that by default, such data must carry Distribution Statement E, which restricts dissemination without DoD approval. While some STINFO can be publicly releasable, most is controlled or even classified—and only the Controlling DoD Office (CDO) can change its distribution statement. Kelley additionally delivers reccomendations as to what your next steps should be if you are unsure about how to classify data:

  • Consult your Technical Point of Contact (TPOC), who should escalate questions to their CDO if they do not know the answer.
  • Contracting officers can also be asked, but they may have limited knowledge of the details of your work as they typically rotate through contracting sprints and are not deeply familiar with specific program details.

In practice, anytime you create data such as engineering data, drawings, technical studies, source code, executable code, and research analyses with SBIR funding, you as the contractor need to mark the data as Distribution Statement E per STINFO (Scientific and Technical Information) guidance. While STINFO does not automatically qualify as Controlled Technical Information (CTI), in reality, “99% of STINFO is CTI,” as Kelley Kiernan from the Defense Acquisition University (DAU) explains.

Common SBIR Company Challenges

My TPOC doesn’t know what CUI is: CUI is still a relatively new term that is being implemented across the DoD, so knowledge gaps are common. If your TPOC seems unsure, ask them to refer you to the Controlling DoD Office (CDO) or the cybersecurity team at their program office for clarification. For authoritative guidance, you can also refer to Defense Acquisition University (DAU) resources and webinars.

My contracting officer doesn’t know if I am dealing with CUI or not: Because contracting officers often rotate through contracting sprints, they may not be deeply familiar with the specifics of your program. However, if your contract includes the DFARS 252.204‑7012 clause, you are contractually obligated to safeguard any Controlled Technical Information (CTI) contained within it—whether it is clearly identified to you or not.

Related Blogs

View all

decorative arrow

Compliance

Compliance

Compliance

What is a System Security Plan for NIST 800-171

10/2024

5 min read

If you do business with the federal government, then you know that you are required to comply with the National Institute of Standards and Technology (NIST) 800-171 standard. This standard outlines the minimum requirements for

Compliance

Compliance

Compliance

Why Should CMMC Compliance Be A Priority?

07/2024

5 min read

Navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC) can be daunting for any organization doing business with the Department of Defense (DoD).

Compliance

Compliance

Compliance

What’s The Difference Between FAR and DFARS? 

07/2024

5 min read

To comply with the Cybersecurity Maturity Model Certification (CMMC), contractors must familiarize themselves with the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) terms and conditions

View all

decorative arrow
Logo image

Become Compliant with NIST 800-171, DFARS 7012, and CMMC Requirements

Talk to an Expert

Address:

550 California St, Suite 203, San Francisco, CA 94104

Contact:

415 818 1245
sales@atomuscyber.com

AboutBlogGuides
WebinarsCustomersPrivacy Policy
© 2025 Atomus Corporation. All rights reserved.